CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Question

CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

amehta-mstr opened this issue 3 years ago · 4 comments

CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Severity: Critical with 9.8 score

Answer 1 · 2022-04-13T20:44:40.000Z

Unfortunately, there hasn't been a new release of BusyBox that includes a fix: https://busybox.net/ 😞

That being said, I obviously can't speak for all users of this image, but I imagine that specific vulnerable workflow is going to be very rare with users of this image. 😅

Answer 2 · 2022-11-22T18:16:17.000Z

Any update on this? About to have to abandon alpine linux (busybox dependency) at my company unless we can get an idea if this will ever be addressed. Based on the last release it feels like busybox is dead and thus will retaining these vulnerabilities indefinitely which various vuln software rate as Critical or High

Answer 3 · 2022-11-28T23:17:51.000Z

Unfortunately, you're asking the wrong folks -- we don't maintain BusyBox, just the Docker container image packaging of it that's available at https://hub.docker.com/_/busybox.